Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
14 vulnerabilities found for EasyFlow .NET by DigiWin
CVE-2026-5964 (GCVE-0-2026-5964)
Vulnerability from nvd – Published: 2026-04-20 07:36 – Updated: 2026-04-20 13:38
VLAI
Title
Digiwin|EasyFlow .NET - SQL Injection
Summary
EasyFlow .NET developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper neutralization of special elements used in an SQL command ('SQL injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.twcert.org.tw/tw/cp-132-10831-a734d-1.html | third-party-advisory |
| https://www.twcert.org.tw/en/cp-139-10832-05f3a-2.html | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Digiwin | EasyFlow .NET |
Affected:
6.1.*
Affected: 6.6.* Affected: 8.1.1 , ≤ 8.1.2 (custom) |
Date Public
2026-04-20 07:33
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5964",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-20T13:38:00.563928Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T13:38:08.600Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EasyFlow .NET",
"vendor": "Digiwin",
"versions": [
{
"status": "affected",
"version": "6.1.*"
},
{
"status": "affected",
"version": "6.6.*"
},
{
"lessThanOrEqual": "8.1.2",
"status": "affected",
"version": "8.1.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-04-20T07:33:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "EasyFlow .NET developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents."
}
],
"value": "EasyFlow .NET developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper neutralization of special elements used in an SQL command (\u0027SQL injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T07:36:58.476Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/tw/cp-132-10831-a734d-1.html"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/en/cp-139-10832-05f3a-2.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u0026nbsp;Update to version 8.1.3 or later, or install patch 2025/07/15."
}
],
"value": "Update to version 8.1.3 or later, or install patch 2025/07/15."
}
],
"source": {
"advisory": "TVN-202604006",
"discovery": "EXTERNAL"
},
"title": "Digiwin\uff5cEasyFlow .NET - SQL Injection",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2026-5964",
"datePublished": "2026-04-20T07:36:58.476Z",
"dateReserved": "2026-04-09T10:34:41.136Z",
"dateUpdated": "2026-04-20T13:38:08.600Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5963 (GCVE-0-2026-5963)
Vulnerability from nvd – Published: 2026-04-20 07:32 – Updated: 2026-04-20 13:42
VLAI
Title
Digiwin|EasyFlow .NET - SQL Injection
Summary
EasyFlow .NET developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper neutralization of special elements used in an SQL command ('SQL injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.twcert.org.tw/tw/cp-132-10831-a734d-1.html | third-party-advisory |
| https://www.twcert.org.tw/en/cp-139-10832-05f3a-2.html | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Digiwin | EasyFlow .NET |
Affected:
6.1.*
Affected: 6.6.* Affected: 8.1.1 , ≤ 8.1.4 (custom) |
Date Public
2026-04-20 07:28
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5963",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-20T13:41:55.563772Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T13:42:03.062Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EasyFlow .NET",
"vendor": "Digiwin",
"versions": [
{
"status": "affected",
"version": "6.1.*"
},
{
"status": "affected",
"version": "6.6.*"
},
{
"lessThanOrEqual": "8.1.4",
"status": "affected",
"version": "8.1.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-04-20T07:28:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "EasyFlow .NET developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents."
}
],
"value": "EasyFlow .NET developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper neutralization of special elements used in an SQL command (\u0027SQL injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T07:33:10.714Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/tw/cp-132-10831-a734d-1.html"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/en/cp-139-10832-05f3a-2.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to version 8.1.5 or later, or install patch 2026/01/20."
}
],
"value": "Update to version 8.1.5 or later, or install patch 2026/01/20."
}
],
"source": {
"advisory": "TVN-202604006",
"discovery": "EXTERNAL"
},
"title": "Digiwin\uff5cEasyFlow .NET - SQL Injection",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2026-5963",
"datePublished": "2026-04-20T07:32:20.443Z",
"dateReserved": "2026-04-09T10:34:39.912Z",
"dateUpdated": "2026-04-20T13:42:03.062Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12503 (GCVE-0-2025-12503)
Vulnerability from nvd – Published: 2025-11-03 06:51 – Updated: 2025-11-03 13:48
VLAI
Title
Digiwin|EasyFlow .NET and EasyFlow AiNet
Summary
EasyFlow .NET and EasyFlow AiNet developed by Digiwin has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.twcert.org.tw/tw/cp-132-10475-01c6d-1.html | third-party-advisory |
| https://www.twcert.org.tw/en/cp-139-10476-c8448-2.html | third-party-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Digiwin | EasyFlow .NET |
Affected:
0 , ≤ 6.6.19
(custom)
|
|
| Digiwin | EasyFlow AiNet |
Affected:
0 , ≤ 8.1.1
(custom)
|
Date Public
2025-11-03 06:40
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12503",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-03T13:40:53.098566Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-03T13:48:19.281Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EasyFlow .NET",
"vendor": "Digiwin",
"versions": [
{
"lessThanOrEqual": "6.6.19",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EasyFlow AiNet",
"vendor": "Digiwin",
"versions": [
{
"lessThanOrEqual": "8.1.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-11-03T06:40:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "EasyFlow .NET and EasyFlow AiNet developed by Digiwin has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents."
}
],
"value": "EasyFlow .NET and EasyFlow AiNet developed by Digiwin has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-03T06:51:55.994Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/tw/cp-132-10475-01c6d-1.html"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/en/cp-139-10476-c8448-2.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update EasyFlow.NET to version 6.6.19 and install the patch 20250520 \u003cbr\u003eUpdate EasyFlow AiNet to version 8.1.1 and install the patch 20250520"
}
],
"value": "Update EasyFlow.NET to version 6.6.19 and install the patch 20250520 \nUpdate EasyFlow AiNet to version 8.1.1 and install the patch 20250520"
}
],
"source": {
"advisory": "TVN-202511001",
"discovery": "EXTERNAL"
},
"title": "Digiwin\uff5cEasyFlow .NET and EasyFlow AiNet",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2025-12503",
"datePublished": "2025-11-03T06:51:55.994Z",
"dateReserved": "2025-10-30T12:15:03.063Z",
"dateUpdated": "2025-11-03T13:48:19.281Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11949 (GCVE-0-2025-11949)
Vulnerability from nvd – Published: 2025-10-21 06:49 – Updated: 2025-10-21 14:08
VLAI
Title
Digiwin|EasyFlow .NET and EasyFlow AiNet - Missing Authentication
Summary
EasyFlow .NET and EasyFlow AiNet, developed by Digiwin, has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to obtain database administrator credentials via a specific functionality.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.twcert.org.tw/tw/cp-132-10454-35844-1.html | third-party-advisory |
| https://www.twcert.org.tw/en/cp-139-10455-5b9ac-2.html | third-party-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Digiwin | EasyFlow .NET |
Affected:
0 , ≤ 6.6.19
(custom)
|
|
| Digiwin | EasyFlow AiNet |
Affected:
0 , ≤ 8.1.1
(custom)
|
Date Public
2025-10-21 06:45
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11949",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-21T13:41:30.518005Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T14:08:23.554Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EasyFlow .NET",
"vendor": "Digiwin",
"versions": [
{
"lessThanOrEqual": "6.6.19",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EasyFlow AiNet",
"vendor": "Digiwin",
"versions": [
{
"lessThanOrEqual": "8.1.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-10-21T06:45:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "EasyFlow .NET and EasyFlow AiNet, developed by Digiwin, has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to obtain database administrator credentials via a specific functionality."
}
],
"value": "EasyFlow .NET and EasyFlow AiNet, developed by Digiwin, has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to obtain database administrator credentials via a specific functionality."
}
],
"impacts": [
{
"capecId": "CAPEC-555",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-555 Remote Services with Stolen Credentials"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T06:49:56.119Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/tw/cp-132-10454-35844-1.html"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/en/cp-139-10455-5b9ac-2.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update EasyFlow.NET to version 6.6.19 and install the patch 20250520\u003cbr\u003eUpdate EasyFlow AiNet to version 8.1.1 and install the patch 20250520\u003cbr\u003e"
}
],
"value": "Update EasyFlow.NET to version 6.6.19 and install the patch 20250520\nUpdate EasyFlow AiNet to version 8.1.1 and install the patch 20250520"
}
],
"source": {
"advisory": "TVN-202510007",
"discovery": "EXTERNAL"
},
"title": "Digiwin\uff5cEasyFlow .NET and EasyFlow AiNet - Missing Authentication",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2025-11949",
"datePublished": "2025-10-21T06:49:56.119Z",
"dateReserved": "2025-10-20T06:13:11.870Z",
"dateUpdated": "2025-10-21T14:08:23.554Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-7323 (GCVE-0-2024-7323)
Vulnerability from nvd – Published: 2024-08-02 10:36 – Updated: 2024-08-02 14:02
VLAI
Title
Digiwin EasyFlow .NET - Arbitrary File Download
Summary
Digiwin EasyFlow .NET lacks proper access control for specific functionality, and the functionality do not adequately filter user input. A remote attacker with regular privilege can exploit this vulnerability to download arbitrary files from the remote server .
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-36 - Absolute Path Traversal
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.twcert.org.tw/tw/cp-132-7989-9c4ea-1.html | third-party-advisory |
| https://www.twcert.org.tw/en/cp-139-7990-87183-2.html | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Digiwin | EasyFlow .NET |
Affected:
5.*
Affected: 6.1.* Affected: 6.6.* |
Date Public
2024-08-02 10:33
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7323",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-02T13:53:41.387588Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T14:02:20.958Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EasyFlow .NET",
"vendor": "Digiwin",
"versions": [
{
"status": "affected",
"version": "5.*"
},
{
"status": "affected",
"version": "6.1.*"
},
{
"status": "affected",
"version": "6.6.*"
}
]
}
],
"datePublic": "2024-08-02T10:33:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDigiwin EasyFlow .NET lacks proper access control for specific functionality, and the functionality do not adequately filter user input. A remote attacker with regular privilege can exploit this vulnerability to download arbitrary files from the remote server .\u003c/span\u003e"
}
],
"value": "Digiwin EasyFlow .NET lacks proper access control for specific functionality, and the functionality do not adequately filter user input. A remote attacker with regular privilege can exploit this vulnerability to download arbitrary files from the remote server ."
}
],
"impacts": [
{
"capecId": "CAPEC-597",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-597 Absolute Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-36",
"description": "CWE-36 Absolute Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T10:36:51.855Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/tw/cp-132-7989-9c4ea-1.html"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/en/cp-139-7990-87183-2.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eFor version V5.x and V6.1.x, please install the patch (released on 2024/05/20).\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eFor version V6.6.x, please update to version V6.6.17 or later.\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "For version V5.x and V6.1.x, please install the patch (released on 2024/05/20).\nFor version V6.6.x, please update to version V6.6.17 or later."
}
],
"source": {
"advisory": "TVN-202407020",
"discovery": "EXTERNAL"
},
"title": "Digiwin EasyFlow .NET - Arbitrary File Download",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2024-7323",
"datePublished": "2024-08-02T10:36:51.855Z",
"dateReserved": "2024-07-31T11:18:44.196Z",
"dateUpdated": "2024-08-02T14:02:20.958Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-5311 (GCVE-0-2024-5311)
Vulnerability from nvd – Published: 2024-06-03 06:26 – Updated: 2024-08-01 21:11
VLAI
Title
DigiWin EasyFlow .NET - SQL Injection
Summary
DigiWin EasyFlow .NET lacks validation for certain input parameters. An unauthenticated remote attacker can inject arbitrary SQL commands to read, modify, and delete database records.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.twcert.org.tw/tw/cp-132-7844-52dad-1.html | third-party-advisory |
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| DigiWin | EasyFlow .NET |
Affected:
5.x
Affected: 6.1.x Affected: 6.6.x , < 6.6.16 (custom) |
|
| digiwin | easyflow_.net |
Affected:
5.x
cpe:2.3:a:digiwin:easyflow_.net:5.x:*:*:*:*:*:*:* |
|
| digiwin | easyflow_.net |
Affected:
6.1.x
cpe:2.3:a:digiwin:easyflow_.net:6.1.x:*:*:*:*:*:*:* |
|
| digiwin | easyflow_.net |
Affected:
6.6.x , < 6.6.16
(custom)
cpe:2.3:a:digiwin:easyflow_.net:6.6.x:*:*:*:*:*:*:* |
Date Public
2024-06-03 06:22
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:digiwin:easyflow_.net:5.x:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "easyflow_.net",
"vendor": "digiwin",
"versions": [
{
"status": "affected",
"version": "5.x"
}
]
},
{
"cpes": [
"cpe:2.3:a:digiwin:easyflow_.net:6.1.x:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "easyflow_.net",
"vendor": "digiwin",
"versions": [
{
"status": "affected",
"version": "6.1.x"
}
]
},
{
"cpes": [
"cpe:2.3:a:digiwin:easyflow_.net:6.6.x:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "easyflow_.net",
"vendor": "digiwin",
"versions": [
{
"lessThan": "6.6.16",
"status": "affected",
"version": "6.6.x",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5311",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-03T15:46:02.329279Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T18:01:54.386Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:11:12.377Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-7844-52dad-1.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EasyFlow .NET",
"vendor": "DigiWin",
"versions": [
{
"status": "affected",
"version": "5.x"
},
{
"status": "affected",
"version": "6.1.x"
},
{
"lessThan": "6.6.16",
"status": "affected",
"version": "6.6.x",
"versionType": "custom"
}
]
}
],
"datePublic": "2024-06-03T06:22:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "DigiWin EasyFlow .NET lacks validation for certain input parameters. An unauthenticated remote attacker can inject arbitrary SQL commands to read, modify, and delete database records."
}
],
"value": "DigiWin EasyFlow .NET lacks validation for certain input parameters. An unauthenticated remote attacker can inject arbitrary SQL commands to read, modify, and delete database records."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-03T06:26:52.313Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/tw/cp-132-7844-52dad-1.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Install patch for V5.x and V6.1.x (released on 2024/02/01 or later).\u003cbr\u003eUpdate V6.6.x to V6.6.16 or later version.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Install patch for V5.x and V6.1.x (released on 2024/02/01 or later).\nUpdate V6.6.x to V6.6.16 or later version."
}
],
"source": {
"advisory": "TVN-202406001",
"discovery": "EXTERNAL"
},
"title": "DigiWin EasyFlow .NET - SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2024-5311",
"datePublished": "2024-06-03T06:26:52.313Z",
"dateReserved": "2024-05-24T07:09:03.399Z",
"dateUpdated": "2024-08-01T21:11:12.377Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-4893 (GCVE-0-2024-4893)
Vulnerability from nvd – Published: 2024-05-15 02:31 – Updated: 2024-08-01 20:55
VLAI
Title
DigiWin EasyFlow .NET - SQL Injection
Summary
DigiWin EasyFlow .NET lacks validation for certain input parameters, allowing remote attackers to inject arbitrary SQL commands. This vulnerability enables unauthorized access to read, modify, and delete database records, as well as execute system commands.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.twcert.org.tw/tw/cp-132-7800-843f1-1.html | third-party-advisory |
| https://www.twcert.org.tw/en/cp-139-7801-67d07-2.html | third-party-advisory |
Impacted products
5 products
| Vendor | Product | Version | |
|---|---|---|---|
| DigiWin | EasyFlow .NET |
Affected:
3.x
Affected: 5.x Affected: 6.1.x Affected: 6.6.x , < v6.6.15 (custom) |
|
| digiwin | easyflow_.net |
Affected:
6.6.x
cpe:2.3:a:digiwin:easyflow_.net:6.6.x:*:*:*:*:*:*:* |
|
| digiwin | easyflow_.net |
Affected:
3.x
cpe:2.3:a:digiwin:easyflow_.net:3.x:*:*:*:*:*:*:* |
|
| digiwin | easyflow_.net |
Affected:
5.x
cpe:2.3:a:digiwin:easyflow_.net:5.x:*:*:*:*:*:*:* |
|
| digiwin | easyflow_.net |
Affected:
6.1.x
cpe:2.3:a:digiwin:easyflow_.net:6.1.x:*:*:*:*:*:*:* |
Date Public
2024-05-15 02:17
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:digiwin:easyflow_.net:6.6.x:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "easyflow_.net",
"vendor": "digiwin",
"versions": [
{
"status": "affected",
"version": "6.6.x"
}
]
},
{
"cpes": [
"cpe:2.3:a:digiwin:easyflow_.net:3.x:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "easyflow_.net",
"vendor": "digiwin",
"versions": [
{
"status": "affected",
"version": "3.x"
}
]
},
{
"cpes": [
"cpe:2.3:a:digiwin:easyflow_.net:5.x:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "easyflow_.net",
"vendor": "digiwin",
"versions": [
{
"status": "affected",
"version": "5.x"
}
]
},
{
"cpes": [
"cpe:2.3:a:digiwin:easyflow_.net:6.1.x:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "easyflow_.net",
"vendor": "digiwin",
"versions": [
{
"status": "affected",
"version": "6.1.x"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4893",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-15T14:28:12.553304Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:56:01.777Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:55:10.269Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-7800-843f1-1.html"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://www.twcert.org.tw/en/cp-139-7801-67d07-2.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EasyFlow .NET",
"vendor": "DigiWin",
"versions": [
{
"status": "affected",
"version": "3.x"
},
{
"status": "affected",
"version": "5.x"
},
{
"status": "affected",
"version": "6.1.x"
},
{
"lessThan": "v6.6.15",
"status": "affected",
"version": "6.6.x",
"versionType": "custom"
}
]
}
],
"datePublic": "2024-05-15T02:17:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "DigiWin EasyFlow .NET lacks validation for certain input parameters, allowing remote attackers to inject arbitrary SQL commands. This vulnerability enables unauthorized access to read, modify, and delete database records, as well as execute system commands."
}
],
"value": "DigiWin EasyFlow .NET lacks validation for certain input parameters, allowing remote attackers to inject arbitrary SQL commands. This vulnerability enables unauthorized access to read, modify, and delete database records, as well as execute system commands."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-03T09:48:43.162Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/tw/cp-132-7800-843f1-1.html"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/en/cp-139-7801-67d07-2.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Install patch for V3.x, V5.x and V6.1.x (released on 2023/12/30 or later).\u003cbr\u003eUpdate V6.6.x to V6.6.15 or later version."
}
],
"value": "Install patch for V3.x, V5.x and V6.1.x (released on 2023/12/30 or later).\nUpdate V6.6.x to V6.6.15 or later version."
}
],
"source": {
"advisory": "TVN-202405001",
"discovery": "EXTERNAL"
},
"title": "DigiWin EasyFlow .NET - SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2024-4893",
"datePublished": "2024-05-15T02:31:29.475Z",
"dateReserved": "2024-05-15T02:08:20.026Z",
"dateUpdated": "2024-08-01T20:55:10.269Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-5964 (GCVE-0-2026-5964)
Vulnerability from cvelistv5 – Published: 2026-04-20 07:36 – Updated: 2026-04-20 13:38
VLAI
Title
Digiwin|EasyFlow .NET - SQL Injection
Summary
EasyFlow .NET developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper neutralization of special elements used in an SQL command ('SQL injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.twcert.org.tw/tw/cp-132-10831-a734d-1.html | third-party-advisory |
| https://www.twcert.org.tw/en/cp-139-10832-05f3a-2.html | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Digiwin | EasyFlow .NET |
Affected:
6.1.*
Affected: 6.6.* Affected: 8.1.1 , ≤ 8.1.2 (custom) |
Date Public
2026-04-20 07:33
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5964",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-20T13:38:00.563928Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T13:38:08.600Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EasyFlow .NET",
"vendor": "Digiwin",
"versions": [
{
"status": "affected",
"version": "6.1.*"
},
{
"status": "affected",
"version": "6.6.*"
},
{
"lessThanOrEqual": "8.1.2",
"status": "affected",
"version": "8.1.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-04-20T07:33:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "EasyFlow .NET developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents."
}
],
"value": "EasyFlow .NET developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper neutralization of special elements used in an SQL command (\u0027SQL injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T07:36:58.476Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/tw/cp-132-10831-a734d-1.html"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/en/cp-139-10832-05f3a-2.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u0026nbsp;Update to version 8.1.3 or later, or install patch 2025/07/15."
}
],
"value": "Update to version 8.1.3 or later, or install patch 2025/07/15."
}
],
"source": {
"advisory": "TVN-202604006",
"discovery": "EXTERNAL"
},
"title": "Digiwin\uff5cEasyFlow .NET - SQL Injection",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2026-5964",
"datePublished": "2026-04-20T07:36:58.476Z",
"dateReserved": "2026-04-09T10:34:41.136Z",
"dateUpdated": "2026-04-20T13:38:08.600Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5963 (GCVE-0-2026-5963)
Vulnerability from cvelistv5 – Published: 2026-04-20 07:32 – Updated: 2026-04-20 13:42
VLAI
Title
Digiwin|EasyFlow .NET - SQL Injection
Summary
EasyFlow .NET developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper neutralization of special elements used in an SQL command ('SQL injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.twcert.org.tw/tw/cp-132-10831-a734d-1.html | third-party-advisory |
| https://www.twcert.org.tw/en/cp-139-10832-05f3a-2.html | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Digiwin | EasyFlow .NET |
Affected:
6.1.*
Affected: 6.6.* Affected: 8.1.1 , ≤ 8.1.4 (custom) |
Date Public
2026-04-20 07:28
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5963",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-20T13:41:55.563772Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T13:42:03.062Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EasyFlow .NET",
"vendor": "Digiwin",
"versions": [
{
"status": "affected",
"version": "6.1.*"
},
{
"status": "affected",
"version": "6.6.*"
},
{
"lessThanOrEqual": "8.1.4",
"status": "affected",
"version": "8.1.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-04-20T07:28:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "EasyFlow .NET developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents."
}
],
"value": "EasyFlow .NET developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper neutralization of special elements used in an SQL command (\u0027SQL injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T07:33:10.714Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/tw/cp-132-10831-a734d-1.html"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/en/cp-139-10832-05f3a-2.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to version 8.1.5 or later, or install patch 2026/01/20."
}
],
"value": "Update to version 8.1.5 or later, or install patch 2026/01/20."
}
],
"source": {
"advisory": "TVN-202604006",
"discovery": "EXTERNAL"
},
"title": "Digiwin\uff5cEasyFlow .NET - SQL Injection",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2026-5963",
"datePublished": "2026-04-20T07:32:20.443Z",
"dateReserved": "2026-04-09T10:34:39.912Z",
"dateUpdated": "2026-04-20T13:42:03.062Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12503 (GCVE-0-2025-12503)
Vulnerability from cvelistv5 – Published: 2025-11-03 06:51 – Updated: 2025-11-03 13:48
VLAI
Title
Digiwin|EasyFlow .NET and EasyFlow AiNet
Summary
EasyFlow .NET and EasyFlow AiNet developed by Digiwin has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.twcert.org.tw/tw/cp-132-10475-01c6d-1.html | third-party-advisory |
| https://www.twcert.org.tw/en/cp-139-10476-c8448-2.html | third-party-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Digiwin | EasyFlow .NET |
Affected:
0 , ≤ 6.6.19
(custom)
|
|
| Digiwin | EasyFlow AiNet |
Affected:
0 , ≤ 8.1.1
(custom)
|
Date Public
2025-11-03 06:40
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12503",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-03T13:40:53.098566Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-03T13:48:19.281Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EasyFlow .NET",
"vendor": "Digiwin",
"versions": [
{
"lessThanOrEqual": "6.6.19",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EasyFlow AiNet",
"vendor": "Digiwin",
"versions": [
{
"lessThanOrEqual": "8.1.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-11-03T06:40:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "EasyFlow .NET and EasyFlow AiNet developed by Digiwin has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents."
}
],
"value": "EasyFlow .NET and EasyFlow AiNet developed by Digiwin has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-03T06:51:55.994Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/tw/cp-132-10475-01c6d-1.html"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/en/cp-139-10476-c8448-2.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update EasyFlow.NET to version 6.6.19 and install the patch 20250520 \u003cbr\u003eUpdate EasyFlow AiNet to version 8.1.1 and install the patch 20250520"
}
],
"value": "Update EasyFlow.NET to version 6.6.19 and install the patch 20250520 \nUpdate EasyFlow AiNet to version 8.1.1 and install the patch 20250520"
}
],
"source": {
"advisory": "TVN-202511001",
"discovery": "EXTERNAL"
},
"title": "Digiwin\uff5cEasyFlow .NET and EasyFlow AiNet",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2025-12503",
"datePublished": "2025-11-03T06:51:55.994Z",
"dateReserved": "2025-10-30T12:15:03.063Z",
"dateUpdated": "2025-11-03T13:48:19.281Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11949 (GCVE-0-2025-11949)
Vulnerability from cvelistv5 – Published: 2025-10-21 06:49 – Updated: 2025-10-21 14:08
VLAI
Title
Digiwin|EasyFlow .NET and EasyFlow AiNet - Missing Authentication
Summary
EasyFlow .NET and EasyFlow AiNet, developed by Digiwin, has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to obtain database administrator credentials via a specific functionality.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.twcert.org.tw/tw/cp-132-10454-35844-1.html | third-party-advisory |
| https://www.twcert.org.tw/en/cp-139-10455-5b9ac-2.html | third-party-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Digiwin | EasyFlow .NET |
Affected:
0 , ≤ 6.6.19
(custom)
|
|
| Digiwin | EasyFlow AiNet |
Affected:
0 , ≤ 8.1.1
(custom)
|
Date Public
2025-10-21 06:45
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11949",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-21T13:41:30.518005Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T14:08:23.554Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EasyFlow .NET",
"vendor": "Digiwin",
"versions": [
{
"lessThanOrEqual": "6.6.19",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EasyFlow AiNet",
"vendor": "Digiwin",
"versions": [
{
"lessThanOrEqual": "8.1.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-10-21T06:45:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "EasyFlow .NET and EasyFlow AiNet, developed by Digiwin, has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to obtain database administrator credentials via a specific functionality."
}
],
"value": "EasyFlow .NET and EasyFlow AiNet, developed by Digiwin, has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to obtain database administrator credentials via a specific functionality."
}
],
"impacts": [
{
"capecId": "CAPEC-555",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-555 Remote Services with Stolen Credentials"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T06:49:56.119Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/tw/cp-132-10454-35844-1.html"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/en/cp-139-10455-5b9ac-2.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update EasyFlow.NET to version 6.6.19 and install the patch 20250520\u003cbr\u003eUpdate EasyFlow AiNet to version 8.1.1 and install the patch 20250520\u003cbr\u003e"
}
],
"value": "Update EasyFlow.NET to version 6.6.19 and install the patch 20250520\nUpdate EasyFlow AiNet to version 8.1.1 and install the patch 20250520"
}
],
"source": {
"advisory": "TVN-202510007",
"discovery": "EXTERNAL"
},
"title": "Digiwin\uff5cEasyFlow .NET and EasyFlow AiNet - Missing Authentication",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2025-11949",
"datePublished": "2025-10-21T06:49:56.119Z",
"dateReserved": "2025-10-20T06:13:11.870Z",
"dateUpdated": "2025-10-21T14:08:23.554Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-7323 (GCVE-0-2024-7323)
Vulnerability from cvelistv5 – Published: 2024-08-02 10:36 – Updated: 2024-08-02 14:02
VLAI
Title
Digiwin EasyFlow .NET - Arbitrary File Download
Summary
Digiwin EasyFlow .NET lacks proper access control for specific functionality, and the functionality do not adequately filter user input. A remote attacker with regular privilege can exploit this vulnerability to download arbitrary files from the remote server .
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-36 - Absolute Path Traversal
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.twcert.org.tw/tw/cp-132-7989-9c4ea-1.html | third-party-advisory |
| https://www.twcert.org.tw/en/cp-139-7990-87183-2.html | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Digiwin | EasyFlow .NET |
Affected:
5.*
Affected: 6.1.* Affected: 6.6.* |
Date Public
2024-08-02 10:33
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7323",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-02T13:53:41.387588Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T14:02:20.958Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EasyFlow .NET",
"vendor": "Digiwin",
"versions": [
{
"status": "affected",
"version": "5.*"
},
{
"status": "affected",
"version": "6.1.*"
},
{
"status": "affected",
"version": "6.6.*"
}
]
}
],
"datePublic": "2024-08-02T10:33:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDigiwin EasyFlow .NET lacks proper access control for specific functionality, and the functionality do not adequately filter user input. A remote attacker with regular privilege can exploit this vulnerability to download arbitrary files from the remote server .\u003c/span\u003e"
}
],
"value": "Digiwin EasyFlow .NET lacks proper access control for specific functionality, and the functionality do not adequately filter user input. A remote attacker with regular privilege can exploit this vulnerability to download arbitrary files from the remote server ."
}
],
"impacts": [
{
"capecId": "CAPEC-597",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-597 Absolute Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-36",
"description": "CWE-36 Absolute Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T10:36:51.855Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/tw/cp-132-7989-9c4ea-1.html"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/en/cp-139-7990-87183-2.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eFor version V5.x and V6.1.x, please install the patch (released on 2024/05/20).\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eFor version V6.6.x, please update to version V6.6.17 or later.\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "For version V5.x and V6.1.x, please install the patch (released on 2024/05/20).\nFor version V6.6.x, please update to version V6.6.17 or later."
}
],
"source": {
"advisory": "TVN-202407020",
"discovery": "EXTERNAL"
},
"title": "Digiwin EasyFlow .NET - Arbitrary File Download",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2024-7323",
"datePublished": "2024-08-02T10:36:51.855Z",
"dateReserved": "2024-07-31T11:18:44.196Z",
"dateUpdated": "2024-08-02T14:02:20.958Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-5311 (GCVE-0-2024-5311)
Vulnerability from cvelistv5 – Published: 2024-06-03 06:26 – Updated: 2024-08-01 21:11
VLAI
Title
DigiWin EasyFlow .NET - SQL Injection
Summary
DigiWin EasyFlow .NET lacks validation for certain input parameters. An unauthenticated remote attacker can inject arbitrary SQL commands to read, modify, and delete database records.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.twcert.org.tw/tw/cp-132-7844-52dad-1.html | third-party-advisory |
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| DigiWin | EasyFlow .NET |
Affected:
5.x
Affected: 6.1.x Affected: 6.6.x , < 6.6.16 (custom) |
|
| digiwin | easyflow_.net |
Affected:
5.x
cpe:2.3:a:digiwin:easyflow_.net:5.x:*:*:*:*:*:*:* |
|
| digiwin | easyflow_.net |
Affected:
6.1.x
cpe:2.3:a:digiwin:easyflow_.net:6.1.x:*:*:*:*:*:*:* |
|
| digiwin | easyflow_.net |
Affected:
6.6.x , < 6.6.16
(custom)
cpe:2.3:a:digiwin:easyflow_.net:6.6.x:*:*:*:*:*:*:* |
Date Public
2024-06-03 06:22
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:digiwin:easyflow_.net:5.x:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "easyflow_.net",
"vendor": "digiwin",
"versions": [
{
"status": "affected",
"version": "5.x"
}
]
},
{
"cpes": [
"cpe:2.3:a:digiwin:easyflow_.net:6.1.x:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "easyflow_.net",
"vendor": "digiwin",
"versions": [
{
"status": "affected",
"version": "6.1.x"
}
]
},
{
"cpes": [
"cpe:2.3:a:digiwin:easyflow_.net:6.6.x:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "easyflow_.net",
"vendor": "digiwin",
"versions": [
{
"lessThan": "6.6.16",
"status": "affected",
"version": "6.6.x",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5311",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-03T15:46:02.329279Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T18:01:54.386Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:11:12.377Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-7844-52dad-1.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EasyFlow .NET",
"vendor": "DigiWin",
"versions": [
{
"status": "affected",
"version": "5.x"
},
{
"status": "affected",
"version": "6.1.x"
},
{
"lessThan": "6.6.16",
"status": "affected",
"version": "6.6.x",
"versionType": "custom"
}
]
}
],
"datePublic": "2024-06-03T06:22:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "DigiWin EasyFlow .NET lacks validation for certain input parameters. An unauthenticated remote attacker can inject arbitrary SQL commands to read, modify, and delete database records."
}
],
"value": "DigiWin EasyFlow .NET lacks validation for certain input parameters. An unauthenticated remote attacker can inject arbitrary SQL commands to read, modify, and delete database records."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-03T06:26:52.313Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/tw/cp-132-7844-52dad-1.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Install patch for V5.x and V6.1.x (released on 2024/02/01 or later).\u003cbr\u003eUpdate V6.6.x to V6.6.16 or later version.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Install patch for V5.x and V6.1.x (released on 2024/02/01 or later).\nUpdate V6.6.x to V6.6.16 or later version."
}
],
"source": {
"advisory": "TVN-202406001",
"discovery": "EXTERNAL"
},
"title": "DigiWin EasyFlow .NET - SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2024-5311",
"datePublished": "2024-06-03T06:26:52.313Z",
"dateReserved": "2024-05-24T07:09:03.399Z",
"dateUpdated": "2024-08-01T21:11:12.377Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-4893 (GCVE-0-2024-4893)
Vulnerability from cvelistv5 – Published: 2024-05-15 02:31 – Updated: 2024-08-01 20:55
VLAI
Title
DigiWin EasyFlow .NET - SQL Injection
Summary
DigiWin EasyFlow .NET lacks validation for certain input parameters, allowing remote attackers to inject arbitrary SQL commands. This vulnerability enables unauthorized access to read, modify, and delete database records, as well as execute system commands.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.twcert.org.tw/tw/cp-132-7800-843f1-1.html | third-party-advisory |
| https://www.twcert.org.tw/en/cp-139-7801-67d07-2.html | third-party-advisory |
Impacted products
5 products
| Vendor | Product | Version | |
|---|---|---|---|
| DigiWin | EasyFlow .NET |
Affected:
3.x
Affected: 5.x Affected: 6.1.x Affected: 6.6.x , < v6.6.15 (custom) |
|
| digiwin | easyflow_.net |
Affected:
6.6.x
cpe:2.3:a:digiwin:easyflow_.net:6.6.x:*:*:*:*:*:*:* |
|
| digiwin | easyflow_.net |
Affected:
3.x
cpe:2.3:a:digiwin:easyflow_.net:3.x:*:*:*:*:*:*:* |
|
| digiwin | easyflow_.net |
Affected:
5.x
cpe:2.3:a:digiwin:easyflow_.net:5.x:*:*:*:*:*:*:* |
|
| digiwin | easyflow_.net |
Affected:
6.1.x
cpe:2.3:a:digiwin:easyflow_.net:6.1.x:*:*:*:*:*:*:* |
Date Public
2024-05-15 02:17
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:digiwin:easyflow_.net:6.6.x:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "easyflow_.net",
"vendor": "digiwin",
"versions": [
{
"status": "affected",
"version": "6.6.x"
}
]
},
{
"cpes": [
"cpe:2.3:a:digiwin:easyflow_.net:3.x:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "easyflow_.net",
"vendor": "digiwin",
"versions": [
{
"status": "affected",
"version": "3.x"
}
]
},
{
"cpes": [
"cpe:2.3:a:digiwin:easyflow_.net:5.x:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "easyflow_.net",
"vendor": "digiwin",
"versions": [
{
"status": "affected",
"version": "5.x"
}
]
},
{
"cpes": [
"cpe:2.3:a:digiwin:easyflow_.net:6.1.x:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "easyflow_.net",
"vendor": "digiwin",
"versions": [
{
"status": "affected",
"version": "6.1.x"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4893",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-15T14:28:12.553304Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:56:01.777Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:55:10.269Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-7800-843f1-1.html"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://www.twcert.org.tw/en/cp-139-7801-67d07-2.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EasyFlow .NET",
"vendor": "DigiWin",
"versions": [
{
"status": "affected",
"version": "3.x"
},
{
"status": "affected",
"version": "5.x"
},
{
"status": "affected",
"version": "6.1.x"
},
{
"lessThan": "v6.6.15",
"status": "affected",
"version": "6.6.x",
"versionType": "custom"
}
]
}
],
"datePublic": "2024-05-15T02:17:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "DigiWin EasyFlow .NET lacks validation for certain input parameters, allowing remote attackers to inject arbitrary SQL commands. This vulnerability enables unauthorized access to read, modify, and delete database records, as well as execute system commands."
}
],
"value": "DigiWin EasyFlow .NET lacks validation for certain input parameters, allowing remote attackers to inject arbitrary SQL commands. This vulnerability enables unauthorized access to read, modify, and delete database records, as well as execute system commands."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-03T09:48:43.162Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/tw/cp-132-7800-843f1-1.html"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/en/cp-139-7801-67d07-2.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Install patch for V3.x, V5.x and V6.1.x (released on 2023/12/30 or later).\u003cbr\u003eUpdate V6.6.x to V6.6.15 or later version."
}
],
"value": "Install patch for V3.x, V5.x and V6.1.x (released on 2023/12/30 or later).\nUpdate V6.6.x to V6.6.15 or later version."
}
],
"source": {
"advisory": "TVN-202405001",
"discovery": "EXTERNAL"
},
"title": "DigiWin EasyFlow .NET - SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2024-4893",
"datePublished": "2024-05-15T02:31:29.475Z",
"dateReserved": "2024-05-15T02:08:20.026Z",
"dateUpdated": "2024-08-01T20:55:10.269Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}